From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6)
Gecko/20040404 Firefox/0.8
Description of problem:
i use nss_ldap for authentication. frequently when users try to login
gdm will crash. it is restarted automatically and the next login
usually succeeds. xscreensaver also crashes when it is configured to
ask for a password.
in an attempt to debug this problem i set LD_ASSUME_KERNEL=2.2.15,
ulimit -c unlimited, and ran the test-passwd program that is an
optional part of xscreensaver. it seems to show things dying in
err_cmp in openssl. am i interpreting the data correctly? is there a
better
if ldaps:// is unconfigured the crashes stop until ldaps:// is reenabled.
Version-Release number of selected component (if applicable):
openssl-0.9.7a-33.10, openldap-2.1.22-8, nss_ldap-207-6
How reproducible:
Always
Steps to Reproduce:
1. configure pam_ldap to use ldaps:// authentication
2. build test-passwd from xscreensaver package.
3. run test-passwd and enter the wrong password until it crashes
(./test-passwd tty)
Actual Results: it crashes after less than 12 bad passwords (usually 2).
Expected Results: it should say password okay and not crash.
Additional info: qualitatively, it seems to be worse since the last
openssl update.

You're right that it could be security relevant however the question is which
code is the culprit. I'd suppose nss_ldap or openldap because there were no
significant changes which could affect this bug between FC2 and FC3 in the
openssl package.

I would like to think that a bug that possibley causes a pam module to segfault
would be important enough to fix just on its own or at least rule that out...
It seems fairly clear that the error and segfault happens in err.c line 904
(which is part of openssl, crypto/err/err.c) based on the backtrace. It is
possible in more recent versions there is a fixed issue but if this is still
happening in FC2/FC3 and older it would be wise to at least produce a security
advisory that states xscreensaver and other programs which depend on SSL may
crash in certain unknown cases, possibly leaving a system without basic security...
Regards